Hello community, here is the log from the commit of package shorewall for openSUSE:Factory checked in at 2020-08-24 15:13:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shorewall (Old) and /work/SRC/openSUSE:Factory/.shorewall.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shorewall" Mon Aug 24 15:13:43 2020 rev:119 rq:828806 version:5.2.7 Changes: -------- --- /work/SRC/openSUSE:Factory/shorewall/shorewall.changes 2020-07-08 19:17:56.092058400 +0200 +++ /work/SRC/openSUSE:Factory/.shorewall.new.3399/shorewall.changes 2020-08-24 15:14:22.810723777 +0200 @@ -1,0 +2,25 @@ +Sat Aug 22 09:27:03 UTC 2020 - Bruno Friedmann <br...@ioda-net.ch> + +- Update to version 5.2.7 + + **Upgrade your configuration** + https://shorewall.org/pub/shorewall/5.2/shorewall-5.2.7/releasenotes.txt + + Previously, it was not possible to classify traffic by destination + IP address when using an Intermediate Functional Block (IFB) for + traffic shaping. This is because such classification takes place + before the traffic passes through the mangle PREROUTING chain. + Such filtering is now possible by setting the 'connmark' option in + the tcdevices file. This option causes the current connection mark + to be copied to the packet mark prior to filtering, thus allowing + the packet mark to be used for classification. + This change adds a new CONNMARK_ACTION capability which is + required to be able to specify the 'connmark' option. + + The tcpri file now supports ?FORMAT 2 which inserts an SPORT + column directly to the right of the PORT column. As part of this + change, the PORT column is renamed to DPORT while allowing both + 'port' and 'dport' to be used in the alternate input format. See + shorewall-tcpri(5) and + http://shorewall.org/simple_traffic_shaping.html for additional + information. + + The Simple TC document is now linked to FAQs 97 and 97a. + +------------------------------------------------------------------- Old: ---- shorewall-5.2.6.tar.bz2 shorewall-core-5.2.6.tar.bz2 shorewall-docs-html-5.2.6.tar.bz2 shorewall-init-5.2.6.tar.bz2 shorewall-lite-5.2.6.tar.bz2 shorewall6-5.2.6.tar.bz2 shorewall6-lite-5.2.6.tar.bz2 New: ---- shorewall-5.2.7.tar.bz2 shorewall-core-5.2.7.tar.bz2 shorewall-docs-html-5.2.7.tar.bz2 shorewall-init-5.2.7.tar.bz2 shorewall-lite-5.2.7.tar.bz2 shorewall6-5.2.7.tar.bz2 shorewall6-lite-5.2.7.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shorewall.spec ++++++ --- /var/tmp/diff_new_pack.0oH0hJ/_old 2020-08-24 15:14:25.890725278 +0200 +++ /var/tmp/diff_new_pack.0oH0hJ/_new 2020-08-24 15:14:25.890725278 +0200 @@ -18,7 +18,7 @@ %define have_systemd 1 %define dmaj 5.2 -%define dmin 5.2.6 +%define dmin 5.2.7 # Warn users for upgrading configuration but only on major or minor version changes %define conf_need_update 0 #2017+ New fillup location @@ -26,7 +26,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: shorewall -Version: 5.2.6 +Version: 5.2.7 Release: 0 Summary: An iptables-based firewall for Linux systems License: GPL-2.0-only ++++++ shorewall-5.2.6.tar.bz2 -> shorewall-5.2.7.tar.bz2 ++++++ ++++ 1659 lines of diff (skipped) ++++++ shorewall-core-5.2.6.tar.bz2 -> shorewall-core-5.2.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/changelog.txt new/shorewall-core-5.2.7/changelog.txt --- old/shorewall-core-5.2.6/changelog.txt 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-core-5.2.7/changelog.txt 2020-07-29 21:53:02.000000000 +0200 @@ -1,3 +1,25 @@ +Changes in 5.2.7 Final + +1) Update release documents + +Changes in 5.2.7 RC 1 + +1) Update release documents + +2) Update Shared Config article. + +3) Link the Simple TC article to FAQs 97 and 97a. + +Changes in 5.2.7 Beta 1 + +1) Update release documents + +2) Add the 'connmark' option in tcdevices. + +3) Support ?FORMAT 2 in the tcpri file. + +4) Merge defect repair from 5.2.6.1. + Changes in 5.2.6 Final 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/configure new/shorewall-core-5.2.7/configure --- old/shorewall-core-5.2.6/configure 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-core-5.2.7/configure 2020-07-29 21:53:02.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.6 +VERSION=5.2.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/configure.pl new/shorewall-core-5.2.7/configure.pl --- old/shorewall-core-5.2.6/configure.pl 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-core-5.2.7/configure.pl 2020-07-29 21:53:02.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.6' + VERSION => '5.2.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/install.sh new/shorewall-core-5.2.7/install.sh --- old/shorewall-core-5.2.6/install.sh 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-core-5.2.7/install.sh 2020-07-29 21:53:02.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.6 +VERSION=5.2.7 PRODUCT=shorewall-core Product="Shorewall Core" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/lib.cli new/shorewall-core-5.2.7/lib.cli --- old/shorewall-core-5.2.6/lib.cli 2020-07-04 19:40:43.000000000 +0200 +++ new/shorewall-core-5.2.7/lib.cli 2020-07-26 18:53:16.000000000 +0200 @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=50200 +SHOREWALL_CAPVERSION=50207 if [ -z "$g_basedir" ]; then # @@ -2878,6 +2878,7 @@ NETMAP_TARGET= NFLOG_SIZE= RESTORE_WAIT_OPTION= + CONNMARK_ACTION= AMANDA_HELPER= FTP_HELPER= @@ -3245,6 +3246,10 @@ BASIC_FILTER=Yes $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes fi + + if $TC action add connmark help 2>&1 | grep -q ^Usage; then + CONNMARK_ACTION=Yes + fi fi [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes @@ -3388,6 +3393,7 @@ report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN + report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION echo " Kernel Version (KERNELVERSION): $KERNELVERSION" echo " Capabilities Version (CAPVERSION): $CAPVERSION" @@ -3494,6 +3500,7 @@ report_capability1 NFLOG_SIZE report_capability1 RESTORE_WAIT_OPTION report_capability1 NAT_INPUT_CHAIN + report_capability1 CONNMARK_ACTION report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/lib.core new/shorewall-core-5.2.7/lib.core --- old/shorewall-core-5.2.6/lib.core 2020-07-04 19:40:43.000000000 +0200 +++ new/shorewall-core-5.2.7/lib.core 2020-07-26 18:53:16.000000000 +0200 @@ -337,8 +337,15 @@ . $F fi - if [ -n "$g_shorewalldir" ]; then - [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH + if [ -n "$g_shorewalldir" ] && [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ];then + case $CONFIG_PATH in + :*) + CONFIG_PATH=${g_shorewalldir}${CONFIG_PATH} + ;; + *) + CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH + ;; + esac fi } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/manpages/shorewall.8 new/shorewall-core-5.2.7/manpages/shorewall.8 --- old/shorewall-core-5.2.6/manpages/shorewall.8 2020-07-04 19:42:30.000000000 +0200 +++ new/shorewall-core-5.2.7/manpages/shorewall.8 2020-07-29 21:54:41.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/04/2020 +.\" Date: 07/29/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL" "8" "07/04/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL" "8" "07/29/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/releasenotes.txt new/shorewall-core-5.2.7/releasenotes.txt --- old/shorewall-core-5.2.6/releasenotes.txt 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-core-5.2.7/releasenotes.txt 2020-07-29 21:53:02.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 6 + S H O R E W A L L 5 . 2 . 7 ------------------------------- - J U L Y 0 4 , 2 0 2 0 + J U L Y 3 1 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,46 +14,7 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair up through Shorewall version - 5.2.5.2. - -2) When compiling for export, the compiler generates a firewall.conf - file which is later installed on the remote firewall system as - ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was - not processing the file, resulting in some features not being - available: - - - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, - SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, - DYNAMIC_BLACKLIST and PAGER are not supplied. - - - scfilter file supplied at compile time. - - - dumpfilter file supplied at compile time. - - That has been corrected. - -3) A bug in iptables (see - https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) - prevents the '--queue-cpu-fanout' option from being applied unless - that option is the last one specified. Unfortunately, Shorewall - places the '--queue-bypass' option last if that option is also - specified. - - This release works around this issue by ensuring that the - '--queue-cpu-fanout' option appears last. - -4) The -D 'compile', 'check', 'reload' and 'Restart' option was - previously omitted from the output of 'shorewall help'. It is now - included. As part of this change, an incorrect and conflicting - description of the -D option was removed from the 'remote-restart' - section of shorewall(8). - -5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT - policies were not completely optimized by optimize level 2 (ACCEPT - rules preceding the final unconditional ACCEPT were not - deleted). That has been corrected such that these rules are now - optimized. +1) This release contains defect repair up through Shorewall 5.2.6.1. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -101,45 +62,30 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'actions' file now supports a 'dport' option to go along with - the 'proto' option. Using these two options can now restrict an - action to a particular service. See shorewall-actions(5) for - details. - - Example limiting net->all SSH connections to 3/min per source IP: - - /etc/shorewall/actions: - - SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers - dport=ssh - - /etc/shorewall/action.SSLHIMIT - - ACCEPT { RATE=s:3/min:3 } - BLACKLIST:$LOG_LEVEL:net_SSHLIMIT - - /etc/shorewall/rules: - - SSHLIMIT net all - -2) The change to 'show actions' implemented in 5.2.5.1 (see below) - has been further extended. - - - "?IF...?ELSE...?ENDIF" sequences are now shown in the output - - Continuation lines are now shown in the output so that all - action options are now displayed - - If an action appears in both /usr/share/shorewall[6]/actions.std - and in /etc/shorewall[6]/actions, then the entry in the actions - file is shown followed by the entry in the actions.std file. +1) Previously, it was not possible to classify traffic by destination + IP address when using an Intermediate Functional Block (IFB) for + traffic shaping. This is because such classification takes place + before the traffic passes through the mangle PREROUTING chain. + + Such filtering is now possible by setting the 'connmark' option in + the tcdevices file. This option causes the current connection mark + to be copied to the packet mark prior to filtering, thus allowing + the packet mark to be used for classification. + + This change adds a new CONNMARK_ACTION capability which is + required to be able to specify the 'connmark' option. + + Rodrigo Araujo provided the bulk of the code for this enhancement. + +2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT + column directly to the right of the PORT column. As part of this + change, the PORT column is renamed to DPORT while allowing both + 'port' and 'dport' to be used in the alternate input format. See + shorewall-tcpri(5) and + http://shorewall.org/simple_traffic_shaping.html for additional + information. -3) To emphasize that it specifies destination ports, the PORT column - in the snat file has been renamed DPORT. Beginning with this - release, both 'port' and 'dport' are accepted in the alternative - input format. - -4) The snat file now supports ?FORMAT 2, which adds an SPORT (source - port) column immediately to the right of the DPORT (destination - port) column. +3) The Simple TC document is now linked to FAQs 97 and 97a. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -539,6 +485,135 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 6 +---------------------------------------------------------------------------- + +1) The 'actions' file now supports a 'dport' option to go along with + the 'proto' option. Using these two options can now restrict an + action to a particular service. See shorewall-actions(5) for + details. + + Example limiting net->all SSH connections to 3/min per source IP: + + /etc/shorewall/actions: + + SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers + dport=ssh + + /etc/shorewall/action.SSLHIMIT + + ACCEPT { RATE=s:3/min:3 } + BLACKLIST:$LOG_LEVEL:net_SSHLIMIT + + /etc/shorewall/rules: + + SSHLIMIT net all + +2) The change to 'show actions' implemented in 5.2.5.1 (see below) + has been further extended. + + - "?IF...?ELSE...?ENDIF" sequences are now shown in the output + - Continuation lines are now shown in the output so that all + action options are now displayed + - If an action appears in both /usr/share/shorewall[6]/actions.std + and in /etc/shorewall[6]/actions, then the entry in the actions + file is shown followed by the entry in the actions.std file. + +3) To emphasize that it specifies destination ports, the PORT column + in the snat file has been renamed DPORT. Beginning with this + release, both 'port' and 'dport' are accepted in the alternative + input format. + +4) The snat file now supports ?FORMAT 2, which adds an SPORT (source + port) column immediately to the right of the DPORT (destination + port) column. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 6 +---------------------------------------------------------------------------- + +5.2.6.1 + +1) Previously, Perl diagnostics or outright failures could occur + during update. + + Examples: + + Processing /etc/shorewall/params ... + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5531. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5537. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5543. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5531. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5537. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5543. + Configuration file /root/try/shorewall.conf updated - old file renamed + /root/try/shorewall.conf.bak + Loading Modules... + ERROR: Internal error in Shorewall::Config::detect_capability + + This defect has been corrected. + +2) Previously, if 'update' added a CONFIG_PATH setting to + shorewall[6].conf, that setting could contain "::" which could + then cause the next 'update' to fail. Now, the compiler correctly + handles double colons in the CONFIG_PATH setting. + +3) Local zones (type 'local' in /etc/shorewall[6]/zones) are only + accessible from the firewall and from vserver zones. Previously, + the compiler generated superluous rules for handling forwarded + traffic from such zones; that has been corrected, and no + forwarding rules are now generated. + +5.2.6 + +1) This release includes defect repair up through Shorewall version + 5.2.5.2. + +2) When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was + not processing the file, resulting in some features not being + available: + + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. + + - scfilter file supplied at compile time. + + - dumpfilter file supplied at compile time. + + That has been corrected. + +3) A bug in iptables (see + https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) + prevents the '--queue-cpu-fanout' option from being applied unless + that option is the last one specified. Unfortunately, Shorewall + places the '--queue-bypass' option last if that option is also + specified. + + This release works around this issue by ensuring that the + '--queue-cpu-fanout' option appears last. + +4) The -D 'compile', 'check', 'reload' and 'Restart' option was + previously omitted from the output of 'shorewall help'. It is now + included. As part of this change, an incorrect and conflicting + description of the -D option was removed from the 'remote-restart' + section of shorewall(8). + +5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT + policies were not completely optimized by optimize level 2 (ACCEPT + rules preceding the final unconditional ACCEPT were not + deleted). That has been corrected such that these rules are now + optimized. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 5 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/shorewall-core.spec new/shorewall-core-5.2.7/shorewall-core.spec --- old/shorewall-core-5.2.6/shorewall-core.spec 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-core-5.2.7/shorewall-core.spec 2020-07-29 21:53:02.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-core -%define version 5.2.6 +%define version 5.2.7 %define release 0base Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -69,6 +69,12 @@ %doc COPYING INSTALL changelog.txt releasenotes.txt %changelog +* Wed Jul 29 2020 Tom Eastep <teas...@shorewall.net> +- Updated to 5.2.7-0base +* Sat Jul 25 2020 Tom Eastep <teas...@shorewall.net> +- Updated to 5.2.7-0RC1 +* Tue Jul 07 2020 Tom Eastep <t...@shorewall.net> +- Updated to 5.2.7-0Beta1 * Mon Jun 29 2020 Tom Eastep <t...@shorewall.net> - Updated to 5.2.6-0base * Sat Jun 27 2020 Tom Eastep <t...@shorewall.net> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-core-5.2.6/uninstall.sh new/shorewall-core-5.2.7/uninstall.sh --- old/shorewall-core-5.2.6/uninstall.sh 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-core-5.2.7/uninstall.sh 2020-07-29 21:53:02.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.6 +VERSION=5.2.7 PRODUCT=shorewall-core Product="Shorewall Core" ++++++ shorewall-docs-html-5.2.6.tar.bz2 -> shorewall-docs-html-5.2.7.tar.bz2 ++++++ ++++ 2419 lines of diff (skipped) ++++++ shorewall-init-5.2.6.tar.bz2 -> shorewall-init-5.2.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.6/changelog.txt new/shorewall-init-5.2.7/changelog.txt --- old/shorewall-init-5.2.6/changelog.txt 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-init-5.2.7/changelog.txt 2020-07-29 21:53:02.000000000 +0200 @@ -1,3 +1,25 @@ +Changes in 5.2.7 Final + +1) Update release documents + +Changes in 5.2.7 RC 1 + +1) Update release documents + +2) Update Shared Config article. + +3) Link the Simple TC article to FAQs 97 and 97a. + +Changes in 5.2.7 Beta 1 + +1) Update release documents + +2) Add the 'connmark' option in tcdevices. + +3) Support ?FORMAT 2 in the tcpri file. + +4) Merge defect repair from 5.2.6.1. + Changes in 5.2.6 Final 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.6/configure new/shorewall-init-5.2.7/configure --- old/shorewall-init-5.2.6/configure 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-init-5.2.7/configure 2020-07-29 21:53:02.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.6 +VERSION=5.2.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.6/configure.pl new/shorewall-init-5.2.7/configure.pl --- old/shorewall-init-5.2.6/configure.pl 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-init-5.2.7/configure.pl 2020-07-29 21:53:02.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.6' + VERSION => '5.2.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.6/install.sh new/shorewall-init-5.2.7/install.sh --- old/shorewall-init-5.2.6/install.sh 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-init-5.2.7/install.sh 2020-07-29 21:53:02.000000000 +0200 @@ -27,7 +27,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # -VERSION=5.2.6 +VERSION=5.2.7 PRODUCT=shorewall-init Product="Shorewall Init" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.6/releasenotes.txt new/shorewall-init-5.2.7/releasenotes.txt --- old/shorewall-init-5.2.6/releasenotes.txt 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-init-5.2.7/releasenotes.txt 2020-07-29 21:53:02.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 6 + S H O R E W A L L 5 . 2 . 7 ------------------------------- - J U L Y 0 4 , 2 0 2 0 + J U L Y 3 1 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,46 +14,7 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair up through Shorewall version - 5.2.5.2. - -2) When compiling for export, the compiler generates a firewall.conf - file which is later installed on the remote firewall system as - ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was - not processing the file, resulting in some features not being - available: - - - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, - SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, - DYNAMIC_BLACKLIST and PAGER are not supplied. - - - scfilter file supplied at compile time. - - - dumpfilter file supplied at compile time. - - That has been corrected. - -3) A bug in iptables (see - https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) - prevents the '--queue-cpu-fanout' option from being applied unless - that option is the last one specified. Unfortunately, Shorewall - places the '--queue-bypass' option last if that option is also - specified. - - This release works around this issue by ensuring that the - '--queue-cpu-fanout' option appears last. - -4) The -D 'compile', 'check', 'reload' and 'Restart' option was - previously omitted from the output of 'shorewall help'. It is now - included. As part of this change, an incorrect and conflicting - description of the -D option was removed from the 'remote-restart' - section of shorewall(8). - -5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT - policies were not completely optimized by optimize level 2 (ACCEPT - rules preceding the final unconditional ACCEPT were not - deleted). That has been corrected such that these rules are now - optimized. +1) This release contains defect repair up through Shorewall 5.2.6.1. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -101,45 +62,30 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'actions' file now supports a 'dport' option to go along with - the 'proto' option. Using these two options can now restrict an - action to a particular service. See shorewall-actions(5) for - details. - - Example limiting net->all SSH connections to 3/min per source IP: - - /etc/shorewall/actions: - - SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers - dport=ssh - - /etc/shorewall/action.SSLHIMIT - - ACCEPT { RATE=s:3/min:3 } - BLACKLIST:$LOG_LEVEL:net_SSHLIMIT - - /etc/shorewall/rules: - - SSHLIMIT net all - -2) The change to 'show actions' implemented in 5.2.5.1 (see below) - has been further extended. - - - "?IF...?ELSE...?ENDIF" sequences are now shown in the output - - Continuation lines are now shown in the output so that all - action options are now displayed - - If an action appears in both /usr/share/shorewall[6]/actions.std - and in /etc/shorewall[6]/actions, then the entry in the actions - file is shown followed by the entry in the actions.std file. +1) Previously, it was not possible to classify traffic by destination + IP address when using an Intermediate Functional Block (IFB) for + traffic shaping. This is because such classification takes place + before the traffic passes through the mangle PREROUTING chain. + + Such filtering is now possible by setting the 'connmark' option in + the tcdevices file. This option causes the current connection mark + to be copied to the packet mark prior to filtering, thus allowing + the packet mark to be used for classification. + + This change adds a new CONNMARK_ACTION capability which is + required to be able to specify the 'connmark' option. + + Rodrigo Araujo provided the bulk of the code for this enhancement. + +2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT + column directly to the right of the PORT column. As part of this + change, the PORT column is renamed to DPORT while allowing both + 'port' and 'dport' to be used in the alternate input format. See + shorewall-tcpri(5) and + http://shorewall.org/simple_traffic_shaping.html for additional + information. -3) To emphasize that it specifies destination ports, the PORT column - in the snat file has been renamed DPORT. Beginning with this - release, both 'port' and 'dport' are accepted in the alternative - input format. - -4) The snat file now supports ?FORMAT 2, which adds an SPORT (source - port) column immediately to the right of the DPORT (destination - port) column. +3) The Simple TC document is now linked to FAQs 97 and 97a. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -539,6 +485,135 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 6 +---------------------------------------------------------------------------- + +1) The 'actions' file now supports a 'dport' option to go along with + the 'proto' option. Using these two options can now restrict an + action to a particular service. See shorewall-actions(5) for + details. + + Example limiting net->all SSH connections to 3/min per source IP: + + /etc/shorewall/actions: + + SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers + dport=ssh + + /etc/shorewall/action.SSLHIMIT + + ACCEPT { RATE=s:3/min:3 } + BLACKLIST:$LOG_LEVEL:net_SSHLIMIT + + /etc/shorewall/rules: + + SSHLIMIT net all + +2) The change to 'show actions' implemented in 5.2.5.1 (see below) + has been further extended. + + - "?IF...?ELSE...?ENDIF" sequences are now shown in the output + - Continuation lines are now shown in the output so that all + action options are now displayed + - If an action appears in both /usr/share/shorewall[6]/actions.std + and in /etc/shorewall[6]/actions, then the entry in the actions + file is shown followed by the entry in the actions.std file. + +3) To emphasize that it specifies destination ports, the PORT column + in the snat file has been renamed DPORT. Beginning with this + release, both 'port' and 'dport' are accepted in the alternative + input format. + +4) The snat file now supports ?FORMAT 2, which adds an SPORT (source + port) column immediately to the right of the DPORT (destination + port) column. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 6 +---------------------------------------------------------------------------- + +5.2.6.1 + +1) Previously, Perl diagnostics or outright failures could occur + during update. + + Examples: + + Processing /etc/shorewall/params ... + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5531. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5537. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5543. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5531. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5537. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5543. + Configuration file /root/try/shorewall.conf updated - old file renamed + /root/try/shorewall.conf.bak + Loading Modules... + ERROR: Internal error in Shorewall::Config::detect_capability + + This defect has been corrected. + +2) Previously, if 'update' added a CONFIG_PATH setting to + shorewall[6].conf, that setting could contain "::" which could + then cause the next 'update' to fail. Now, the compiler correctly + handles double colons in the CONFIG_PATH setting. + +3) Local zones (type 'local' in /etc/shorewall[6]/zones) are only + accessible from the firewall and from vserver zones. Previously, + the compiler generated superluous rules for handling forwarded + traffic from such zones; that has been corrected, and no + forwarding rules are now generated. + +5.2.6 + +1) This release includes defect repair up through Shorewall version + 5.2.5.2. + +2) When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was + not processing the file, resulting in some features not being + available: + + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. + + - scfilter file supplied at compile time. + + - dumpfilter file supplied at compile time. + + That has been corrected. + +3) A bug in iptables (see + https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) + prevents the '--queue-cpu-fanout' option from being applied unless + that option is the last one specified. Unfortunately, Shorewall + places the '--queue-bypass' option last if that option is also + specified. + + This release works around this issue by ensuring that the + '--queue-cpu-fanout' option appears last. + +4) The -D 'compile', 'check', 'reload' and 'Restart' option was + previously omitted from the output of 'shorewall help'. It is now + included. As part of this change, an incorrect and conflicting + description of the -D option was removed from the 'remote-restart' + section of shorewall(8). + +5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT + policies were not completely optimized by optimize level 2 (ACCEPT + rules preceding the final unconditional ACCEPT were not + deleted). That has been corrected such that these rules are now + optimized. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 5 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.6/shorewall-init.spec new/shorewall-init-5.2.7/shorewall-init.spec --- old/shorewall-init-5.2.6/shorewall-init.spec 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-init-5.2.7/shorewall-init.spec 2020-07-29 21:53:02.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-init -%define version 5.2.6 +%define version 5.2.7 %define release 0base Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall). @@ -135,6 +135,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Wed Jul 29 2020 Tom Eastep <teas...@shorewall.net> +- Updated to 5.2.7-0base +* Sat Jul 25 2020 Tom Eastep <teas...@shorewall.net> +- Updated to 5.2.7-0RC1 +* Tue Jul 07 2020 Tom Eastep <t...@shorewall.net> +- Updated to 5.2.7-0Beta1 * Mon Jun 29 2020 Tom Eastep <t...@shorewall.net> - Updated to 5.2.6-0base * Sat Jun 27 2020 Tom Eastep <t...@shorewall.net> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-init-5.2.6/uninstall.sh new/shorewall-init-5.2.7/uninstall.sh --- old/shorewall-init-5.2.6/uninstall.sh 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-init-5.2.7/uninstall.sh 2020-07-29 21:53:02.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.6 +VERSION=5.2.7 PRODUCT=shorewall-init Product="Shorewall Init" ++++++ shorewall-lite-5.2.6.tar.bz2 -> shorewall-lite-5.2.7.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/changelog.txt new/shorewall-lite-5.2.7/changelog.txt --- old/shorewall-lite-5.2.6/changelog.txt 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-lite-5.2.7/changelog.txt 2020-07-29 21:53:02.000000000 +0200 @@ -1,3 +1,25 @@ +Changes in 5.2.7 Final + +1) Update release documents + +Changes in 5.2.7 RC 1 + +1) Update release documents + +2) Update Shared Config article. + +3) Link the Simple TC article to FAQs 97 and 97a. + +Changes in 5.2.7 Beta 1 + +1) Update release documents + +2) Add the 'connmark' option in tcdevices. + +3) Support ?FORMAT 2 in the tcpri file. + +4) Merge defect repair from 5.2.6.1. + Changes in 5.2.6 Final 1) Update release documents diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/configure new/shorewall-lite-5.2.7/configure --- old/shorewall-lite-5.2.6/configure 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-lite-5.2.7/configure 2020-07-29 21:53:02.000000000 +0200 @@ -28,7 +28,7 @@ # # Build updates this # -VERSION=5.2.6 +VERSION=5.2.7 case "$BASH_VERSION" in [4-9].*) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/configure.pl new/shorewall-lite-5.2.7/configure.pl --- old/shorewall-lite-5.2.6/configure.pl 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-lite-5.2.7/configure.pl 2020-07-29 21:53:02.000000000 +0200 @@ -31,7 +31,7 @@ # Build updates this # use constant { - VERSION => '5.2.6' + VERSION => '5.2.7' }; my %params; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/install.sh new/shorewall-lite-5.2.7/install.sh --- old/shorewall-lite-5.2.6/install.sh 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-lite-5.2.7/install.sh 2020-07-29 21:53:02.000000000 +0200 @@ -22,7 +22,7 @@ # along with this program; if not, see <http://www.gnu.org/licenses/>. # -VERSION=5.2.6 +VERSION=5.2.7 usage() # $1 = exit status { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/manpages/shorewall-lite-vardir.5 new/shorewall-lite-5.2.7/manpages/shorewall-lite-vardir.5 --- old/shorewall-lite-5.2.6/manpages/shorewall-lite-vardir.5 2020-07-04 19:42:22.000000000 +0200 +++ new/shorewall-lite-5.2.7/manpages/shorewall-lite-vardir.5 2020-07-29 21:54:33.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite-vardir .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/04/2020 +.\" Date: 07/29/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\-VAR" "5" "07/04/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\-VAR" "5" "07/29/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/manpages/shorewall-lite.8 new/shorewall-lite-5.2.7/manpages/shorewall-lite.8 --- old/shorewall-lite-5.2.6/manpages/shorewall-lite.8 2020-07-04 19:42:23.000000000 +0200 +++ new/shorewall-lite-5.2.7/manpages/shorewall-lite.8 2020-07-29 21:54:33.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/04/2020 +.\" Date: 07/29/2020 .\" Manual: Administrative Commands .\" Source: Administrative Commands .\" Language: English .\" -.TH "SHOREWALL\-LITE" "8" "07/04/2020" "Administrative Commands" "Administrative Commands" +.TH "SHOREWALL\-LITE" "8" "07/29/2020" "Administrative Commands" "Administrative Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/manpages/shorewall-lite.conf.5 new/shorewall-lite-5.2.7/manpages/shorewall-lite.conf.5 --- old/shorewall-lite-5.2.6/manpages/shorewall-lite.conf.5 2020-07-04 19:42:22.000000000 +0200 +++ new/shorewall-lite-5.2.7/manpages/shorewall-lite.conf.5 2020-07-29 21:54:32.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: shorewall-lite.conf .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 07/04/2020 +.\" Date: 07/29/2020 .\" Manual: Configuration Files .\" Source: Configuration Files .\" Language: English .\" -.TH "SHOREWALL\-LITE\&.CO" "5" "07/04/2020" "Configuration Files" "Configuration Files" +.TH "SHOREWALL\-LITE\&.CO" "5" "07/29/2020" "Configuration Files" "Configuration Files" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/releasenotes.txt new/shorewall-lite-5.2.7/releasenotes.txt --- old/shorewall-lite-5.2.6/releasenotes.txt 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-lite-5.2.7/releasenotes.txt 2020-07-29 21:53:02.000000000 +0200 @@ -1,7 +1,7 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 5 . 2 . 6 + S H O R E W A L L 5 . 2 . 7 ------------------------------- - J U L Y 0 4 , 2 0 2 0 + J U L Y 3 1 , 2 0 2 0 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -14,46 +14,7 @@ I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) This release includes defect repair up through Shorewall version - 5.2.5.2. - -2) When compiling for export, the compiler generates a firewall.conf - file which is later installed on the remote firewall system as - ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was - not processing the file, resulting in some features not being - available: - - - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, - SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, - DYNAMIC_BLACKLIST and PAGER are not supplied. - - - scfilter file supplied at compile time. - - - dumpfilter file supplied at compile time. - - That has been corrected. - -3) A bug in iptables (see - https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) - prevents the '--queue-cpu-fanout' option from being applied unless - that option is the last one specified. Unfortunately, Shorewall - places the '--queue-bypass' option last if that option is also - specified. - - This release works around this issue by ensuring that the - '--queue-cpu-fanout' option appears last. - -4) The -D 'compile', 'check', 'reload' and 'Restart' option was - previously omitted from the output of 'shorewall help'. It is now - included. As part of this change, an incorrect and conflicting - description of the -D option was removed from the 'remote-restart' - section of shorewall(8). - -5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT - policies were not completely optimized by optimize level 2 (ACCEPT - rules preceding the final unconditional ACCEPT were not - deleted). That has been corrected such that these rules are now - optimized. +1) This release contains defect repair up through Shorewall 5.2.6.1. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G @@ -101,45 +62,30 @@ I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- -1) The 'actions' file now supports a 'dport' option to go along with - the 'proto' option. Using these two options can now restrict an - action to a particular service. See shorewall-actions(5) for - details. - - Example limiting net->all SSH connections to 3/min per source IP: - - /etc/shorewall/actions: - - SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers - dport=ssh - - /etc/shorewall/action.SSLHIMIT - - ACCEPT { RATE=s:3/min:3 } - BLACKLIST:$LOG_LEVEL:net_SSHLIMIT - - /etc/shorewall/rules: - - SSHLIMIT net all - -2) The change to 'show actions' implemented in 5.2.5.1 (see below) - has been further extended. - - - "?IF...?ELSE...?ENDIF" sequences are now shown in the output - - Continuation lines are now shown in the output so that all - action options are now displayed - - If an action appears in both /usr/share/shorewall[6]/actions.std - and in /etc/shorewall[6]/actions, then the entry in the actions - file is shown followed by the entry in the actions.std file. +1) Previously, it was not possible to classify traffic by destination + IP address when using an Intermediate Functional Block (IFB) for + traffic shaping. This is because such classification takes place + before the traffic passes through the mangle PREROUTING chain. + + Such filtering is now possible by setting the 'connmark' option in + the tcdevices file. This option causes the current connection mark + to be copied to the packet mark prior to filtering, thus allowing + the packet mark to be used for classification. + + This change adds a new CONNMARK_ACTION capability which is + required to be able to specify the 'connmark' option. + + Rodrigo Araujo provided the bulk of the code for this enhancement. + +2) The tcpri file now supports ?FORMAT 2 which inserts an SPORT + column directly to the right of the PORT column. As part of this + change, the PORT column is renamed to DPORT while allowing both + 'port' and 'dport' to be used in the alternate input format. See + shorewall-tcpri(5) and + http://shorewall.org/simple_traffic_shaping.html for additional + information. -3) To emphasize that it specifies destination ports, the PORT column - in the snat file has been renamed DPORT. Beginning with this - release, both 'port' and 'dport' are accepted in the alternative - input format. - -4) The snat file now supports ?FORMAT 2, which adds an SPORT (source - port) column immediately to the right of the DPORT (destination - port) column. +3) The Simple TC document is now linked to FAQs 97 and 97a. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S @@ -539,6 +485,135 @@ ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 5 . 2 R E L E A S E S ---------------------------------------------------------------------------- + N E W F E A T U R E S I N 5 . 2 . 6 +---------------------------------------------------------------------------- + +1) The 'actions' file now supports a 'dport' option to go along with + the 'proto' option. Using these two options can now restrict an + action to a particular service. See shorewall-actions(5) for + details. + + Example limiting net->all SSH connections to 3/min per source IP: + + /etc/shorewall/actions: + + SSHLIMIT proto=tcp,\ # Blacklist overzealous SSHers + dport=ssh + + /etc/shorewall/action.SSLHIMIT + + ACCEPT { RATE=s:3/min:3 } + BLACKLIST:$LOG_LEVEL:net_SSHLIMIT + + /etc/shorewall/rules: + + SSHLIMIT net all + +2) The change to 'show actions' implemented in 5.2.5.1 (see below) + has been further extended. + + - "?IF...?ELSE...?ENDIF" sequences are now shown in the output + - Continuation lines are now shown in the output so that all + action options are now displayed + - If an action appears in both /usr/share/shorewall[6]/actions.std + and in /etc/shorewall[6]/actions, then the entry in the actions + file is shown followed by the entry in the actions.std file. + +3) To emphasize that it specifies destination ports, the PORT column + in the snat file has been renamed DPORT. Beginning with this + release, both 'port' and 'dport' are accepted in the alternative + input format. + +4) The snat file now supports ?FORMAT 2, which adds an SPORT (source + port) column immediately to the right of the DPORT (destination + port) column. + +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 5 . 2 . 6 +---------------------------------------------------------------------------- + +5.2.6.1 + +1) Previously, Perl diagnostics or outright failures could occur + during update. + + Examples: + + Processing /etc/shorewall/params ... + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5531. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5537. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5543. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5531. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5537. + Use of uninitialized value $policy in pattern match (m//) at + /usr/share/shorewall/Shorewall/Config.pm line 5543. + Configuration file /root/try/shorewall.conf updated - old file renamed + /root/try/shorewall.conf.bak + Loading Modules... + ERROR: Internal error in Shorewall::Config::detect_capability + + This defect has been corrected. + +2) Previously, if 'update' added a CONFIG_PATH setting to + shorewall[6].conf, that setting could contain "::" which could + then cause the next 'update' to fail. Now, the compiler correctly + handles double colons in the CONFIG_PATH setting. + +3) Local zones (type 'local' in /etc/shorewall[6]/zones) are only + accessible from the firewall and from vserver zones. Previously, + the compiler generated superluous rules for handling forwarded + traffic from such zones; that has been corrected, and no + forwarding rules are now generated. + +5.2.6 + +1) This release includes defect repair up through Shorewall version + 5.2.5.2. + +2) When compiling for export, the compiler generates a firewall.conf + file which is later installed on the remote firewall system as + ${VARDIR}/firewall.conf. Previously, the CLI on that firewall was + not processing the file, resulting in some features not being + available: + + - Default values for VERBOSITY, LOGFILE, LOGFORMAT, PATH, + SHOREWALL_SHELL, SUBSYSLOCK, RESTOREFILE, RESTART, + DYNAMIC_BLACKLIST and PAGER are not supplied. + + - scfilter file supplied at compile time. + + - dumpfilter file supplied at compile time. + + That has been corrected. + +3) A bug in iptables (see + https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) + prevents the '--queue-cpu-fanout' option from being applied unless + that option is the last one specified. Unfortunately, Shorewall + places the '--queue-bypass' option last if that option is also + specified. + + This release works around this issue by ensuring that the + '--queue-cpu-fanout' option appears last. + +4) The -D 'compile', 'check', 'reload' and 'Restart' option was + previously omitted from the output of 'shorewall help'. It is now + included. As part of this change, an incorrect and conflicting + description of the -D option was removed from the 'remote-restart' + section of shorewall(8). + +5) Previously, when EXPAND_POLICIES=No, chains that enforced ACCEPT + policies were not completely optimized by optimize level 2 (ACCEPT + rules preceding the final unconditional ACCEPT were not + deleted). That has been corrected such that these rules are now + optimized. + +---------------------------------------------------------------------------- N E W F E A T U R E S I N 5 . 2 . 5 ---------------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/shorewall-lite.spec new/shorewall-lite-5.2.7/shorewall-lite.spec --- old/shorewall-lite-5.2.6/shorewall-lite.spec 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-lite-5.2.7/shorewall-lite.spec 2020-07-29 21:53:02.000000000 +0200 @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 5.2.6 +%define version 5.2.7 %define release 0base %define initdir /etc/init.d @@ -114,6 +114,12 @@ %doc COPYING changelog.txt releasenotes.txt %changelog +* Wed Jul 29 2020 Tom Eastep <teas...@shorewall.net> +- Updated to 5.2.7-0base +* Sat Jul 25 2020 Tom Eastep <teas...@shorewall.net> +- Updated to 5.2.7-0RC1 +* Tue Jul 07 2020 Tom Eastep <t...@shorewall.net> +- Updated to 5.2.7-0Beta1 * Mon Jun 29 2020 Tom Eastep <t...@shorewall.net> - Updated to 5.2.6-0base * Sat Jun 27 2020 Tom Eastep <t...@shorewall.net> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/shorewall-lite-5.2.6/uninstall.sh new/shorewall-lite-5.2.7/uninstall.sh --- old/shorewall-lite-5.2.6/uninstall.sh 2020-07-04 19:40:53.000000000 +0200 +++ new/shorewall-lite-5.2.7/uninstall.sh 2020-07-29 21:53:02.000000000 +0200 @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=5.2.6 +VERSION=5.2.7 usage() # $1 = exit status { ++++++ shorewall-5.2.6.tar.bz2 -> shorewall6-5.2.7.tar.bz2 ++++++ ++++ 122600 lines of diff (skipped) ++++++ shorewall-lite-5.2.6.tar.bz2 -> shorewall6-lite-5.2.7.tar.bz2 ++++++ ++++ 3292 lines of diff (skipped)
